Encrypt Nuxeo password in database
We are using Nuxeo 5.6-RC2. We are connecting via oracle template. We have also customized nuxeo to use our customized pre-made users instead default nuxeo users.
Now, username and password Administrator and Administrator are placed in MY_CUSTOMIZED_USERS table, and obviously they are not encrypted. In production environment, users have access to database and they can see Administrator password.
Is there anyway we can customize Nuxeo to have our login passwords in database encrypted?
Only the initial Administrator password, that is the word “Administrator”, is not encrypted as the assumption was made that it needs to be reset anyway to make it secure. The moment you change the Administrator password, it does get encrypted.
Please make a test and change your Administrator password and then query the users table to see if that indeed is the case.
Thats the xml of our contribution:
<extension target="org.nuxeo.ecm.directory.sql.SQLDirectoryFactory"
point="directories">
<directory name="RecmUserDirectory">
<schema>user</schema>
<idField>username</idField>
<passwordField>password</passwordField>
<passwordHashAlgorithm>SSHA</passwordHashAlgorithm>
<autoincrementIdField>false</autoincrementIdField>
<dataSource>java:/nxsqldirectory</dataSource>
<table>recm_users</table>
<dataFile>data/users.csv</dataFile>
<createTablePolicy>never</createTablePolicy>
<querySizeLimit>15</querySizeLimit>
<nativeCase>true</nativeCase>
<references>
<inverseReference field="groups" directory="groupDirectory"
dualReferenceField="members" />
</references>
</directory>
user.csv contains our user's username and password but they are not encrypted.
The point is that <passwordHashAlgorithm>SSHA</passwordHashAlgorithm> says that password needs to be SSHA encrypted but in database it is initially un-encrypted, unless we change it.
Is there anyway that our initial passwords are stored in database as encrypted?
If <passwordHashAlgorithm>SSHA</passwordHashAlgorithm>
is in the config then Nuxeo will encrypt any password it writes, but will still be able to read unencrypted ones.
If you populate the password database using an external system, then you'll have to do the encryption yourself. You can see how SSHA is implemented by reading the code at https://github.com/nuxeo/nuxeo-services/blob/master/nuxeo-platform-directory/nuxeo-platform-directory-sql/src/main/java/org/nuxeo/ecm/directory/sql/PasswordHelper.java